This tutorial explains how to set up Thunderbird to digitally sign, encrypt and decrypt messages in order to make them secure.

Introduction

The email infrastructure that everyone uses is, by design, not secure. While most people connect to their email servers using a secure ("SSL") connection, some servers allow unsecured access. Furthermore, as the message moves through its transmission path from sender to recipient, the connections between each server are not necessarily secure. It is possible for third parties to intercept, read and alter email messages as they are transmitted.

When you digitally sign a message, you embed information in the message that validates your identity. When you encrypt a message, it appears to be "scrambled" and can only by read by a person who has the key to decrypting the message. Digitally signing a message ensures that the message originated from the stated sender. Encrypting ensures that the message has not been read or altered during transmission.

To encrypt messages, you can use the public-key cryptographic system. In this system, each participant has two separate keys: a public encryption key and a private decryption key. When someone wants send you an encrypted message, he or she uses your public key to generate the encryption algorithm. When you receive the message, you must use your private key to decrypt it.

Note: Never share your private key with anyone.

The protocol used to encrypt emails is called PGP (Pretty Good Privacy). To use PGP within Thunderbird, you must first install:

Select Enigmail from the search results and follow the instructions to install the add-on.

Creating PGP keys

Create your public/private keys as follows:

On the Thunderbird menu bar, click OpenPGP and select Setup Wizard.

Select Yes, I would like the wizard to get me started as shown in the image below. Click Next to proceed.

The wizard asks whether you want to sign all outgoing messages or whether you want to configure different rules for different recipients. It is usually a good idea to sign all emails so that people can confirm that the email is indeed from you. Message recipients do not need to use digital signatures or PGP to read a digitally signed message. Select Yes, I want to sign all of my email and click Next to proceed.

Next, the wizard asks if you want to encrypt all your emails. You should not select this option unless you have the public keys for all the people that you expect to send messages to. Select No, I will create per-recipient rules for those who send me their public keys and click Next to proceed.

The wizard asks if it can change some of your mail formatting settings to better work with PGP. It is a good choice to answer Yes here. Click Next to proceed.

Select the email account for which you want to create the keys. You need to enter a password in the ‘Passphrase’ text box which is used to protect your private key. This password is used to decrypt messages, so don't forget it. The password should be at least 8 characters long and not use any dictionary words. (See this Wikipedia article for information on creating strong passwords.) Enter this password twice and click Next to proceed.

The next screen displays the preferences you configured. If you are satisfied, click Next to proceed.

When the process of creating your keys is completed, click Next to proceed.

The wizard will ask if you want to create a ‘Revocation certificate’ which you would use if the security of your key pair was compromised and you needed to inform others that it is no longer valid. If you want to create the file click on Generate Certificate and follow the steps on the subsequent screens. Otherwise, click Skip.

The wizard finally informs you that it has completed the process. Click Finish to exit the wizard.

Sending and receiving public keys

Sending your public key via email

To receive encrypted messages from other people, you must first send them your public key:

Compose the message.

Select OpenPGP from the Thunderbird menu bar and select Attach My Public Key.

Send the email as usual.

Receiving a public key via email

To send encrypted messages to other people, you must receive and store their public key:

Open the message that contains the public key.

At the bottom of the window, double click on the attachment that ends in '.asc'. (This file contains the public key.)

Thunderbird automatically recognizes that this is a PGP key. A dialog box appears, prompting you to ‘Import’ or ‘View’ the key. Click Import to import the key.

You will see a confirmation that the key has been successfully imported. Click OK to complete the process.

Sending a digitally signed and / or encrypted email

Compose the message as usual.

To digitally sign a message, select OpenPGP from the Thunderbird menu and enable the Sign Message option. To encrypt a message, enable the Encrypt Message option. The system may ask you to enter your Passphrase before encrypting the message.

If your email address is associated with a PGP key, the message will be encrypted with that key. If the email address is not associated with a PGP key, you will be prompted to select a key from a list.

Send the message as usual.

Note: The subject line of the message will not be encrypted.

Reading a digitally signed and / or encrypted email

When you receive an encrypted message, Thunderbird will ask you to enter your secret passphrase to decrypt the message. To determine whether or not the incoming message has been signed or digitally encrypted you need to look at the information bar above the message body.

If the message has been encrypted and signed, the green bar also displays the text "Decrypted message".

If the message has been encrypted but not signed the bar would appear as shown below.

Note: A message which has not been signed could be from someone trying to impersonate someone else.

Revoking your key

If you believe that your private key has been "compromised" (that is, someone else has had access to the file that contains your private key), you should revoke your current set of keys as soon as possible and create a new pair. To revoke your current set of keys:

On the Thunderbird menu, click OpenPGP and select Key Management.

A dialog box appears as shown below. Check Display All Keys by Default to show all the keys.

Right-click on the key you want to revoke and select Revoke Key.

A dialog box appears asking if you really want to revoke the key. Click Revoke Key to proceed.

Another dialog box appears asking you to enter your secret passphrase. Enter the passphrase and click OK to revoke the key.

Send the revocation certificate to the people you correspond with so that they know that your current key is no longer valid. This ensures that if someone tries to use your current key to impersonate you, the recipients will know that the key pair is not valid.